1
How to Close Biomedical HIPAA Compliance & Security Gaps
Session 259, February 14, 2019
Tracey Hughes, Associate COO & Sr. Director of Clinical Engineering, Duke Health
Technology Solutions
Clyde Hewitt, VP of Security Strategy, CynergisTek
2
Tracey Hughes, MMCi: Has no real or apparent conflicts of interest
to report.
Clyde Hewitt, MS, CISSP, CHS, ISO 27001 Lead Auditor: Has no
real or apparent conflicts of interest to report.
Conflict of Interest
3
Classes of biomedical device security & privacy risk
Strategies for mitigating biomedical device risks
Management strategies to reduce risk to an acceptable level
Agenda
6
Classes of
Biomedical Risks
7
https://www.forbes.com/sites/thomasbrewster/2017/05/17/wannacry-ransomware-hit-real-medical-devices/#74
This is Real, This is Now
8
....charged Tuesday with stealing $20,000 worth of supplies and
medical devices from the hospital since early November...
... a magistrate noted that police said he had $20,000 worth of
“equipment” in his home...
... worked as a clinical services technician in the Pathology
Department...
This is Real, This is Now
https://www.newsobserver.com/news/local/news-columns-blogs/barry-saunders/article197575019.html
9
This is Real, This is Now
https://www.ebay.com/sch/i.html?infusion+pump
10
Firmware Update to Address Cybersecurity Vulnerabilities Identified in
Abbott's (formerly St. Jude Medical's) Implantable Cardiac Pacemakers:
FDA Safety Communication
...
The FDA has reviewed information concerning potential
cybersecurity vulnerabilities associated with St. Jude Medical's RF-
enabled implantable cardiac pacemakers and has confirmed that
these vulnerabilities, if exploited, could allow an unauthorized user
(i.e. someone other than the patient's physician) to access a
patient's device using commercially available equipment. This
access could be used to modify programming commands to the
implanted pacemaker, which could result in patient harm from rapid
battery depletion or administration of inappropriate pacing.
This is Real, This is Now
https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm
11
About 18% of provider organizations surveyed by KLAS experienced
malware attacks on medical devices in the past 18 months.
https://www.modernhealthcare.com/article/20181005/NEWS/181009942
August 31, 2018 - Nine cybersecurity vulnerabilities have been found
in the Philips e-Alert Unit, a tool that monitors MRI system
performance, according to an Aug. 30 ICS-CERT advisory.
https://healthitsecurity.com/news/9-cybersecurity-vulnerabilities-found-in-philips-e-alert-tool
October 15, 2018 - The FDA issued a medical device safety alert
about cybersecurity vulnerabilities in Medtronic’s CareLink
programmers that could enable an attacker to change the
functionality of the programmer or the implanted pacemaker it
controls. https://healthitsecurity.com/news/fda-warns-of-cybersecurity-vulnerabilities-in-carelink-programmers
November 7, 2018 - ICS-CERT is warning about cybersecurity
vulnerabilities in Roche point-of-care handheld medical devices.
https://healthitsecurity.com/tag/medical-device-security
January 30, 2019 - DHS Alerts to Vulnerabilities in Stryker and BD
Medical Devices Smart medical beds subject to wireless attacks
that can lead to compromise of administrator accounts
https://healthitsecurity.com/news/dhs-alerts-to-vulnerabilities-in-stryker-and-bd-medical-devices
Ripped from the Headlines
12
Biomedical equipment threats come from many sources
Unauthorized physical access
Physical theft
Lost or misplaced
Technical vulnerabilities allowing remote access
Software vulnerabilities (e.g., bugs)
Understanding Threat Vectors
13
Adverse Risks and Impact
14
Equipment Function
Miscellaneous- Non- Patient Related = 1
Miscellaneous - Patient Related = 2
Analytical - Computer and Related Accessories = 3
Analytical - Laboratory Accessories = 4
Analytical- Laboratory Analytical = 5
Diagnostic - General Physiologic Monitoring = 6
Diagnostic- Surgical/ ICU/ Imaging / Pt. Procedure Room = 7
Therapeutic - Physical Therapy or Treatment = 8
Therapeutic- Surgical / ICU / Imaging/ Pt. Procedure Room= 9
Therapeutic - Life Support = 10
Patient Safety & Impact
Availability
Integrity
Financial Impacts replacement and investigation costs
Compliance Impacts - High, Med, Low
Unauthorized access, legal cost, reputational harm
Establish a Risk Model
Clinical Application
No Significant Identified Risk = 1
Equipment Failure/ Data Loss/ Damage = 2
Inappropriate Therapy or Misdiagnosis = 3
Potential Patient Injury = 4
Potential Patient Death = 5
15
Strategies to
Mitigate Risk
17
Partnering with Procurement
Pre-purchase considerations- Info to collect
Qualtrics survey- ISO information
MDS2
BAA and DSA
Classes of equipment
Own
Rent
Demo/loaner
Research
Durable medical equipment
“Appear” through mergers and acquisitions
Don’t forget the disposal process
Asset Management is Critical
18
Inventory management: incoming
Incoming: CMDB considerations
Information to collect
Asset tagging
Engineering design
Ongoing maintenance,
upgrades/patching
Disposal process
Software bill of materials
Lifecycle Management
19
Recommended Controls
21
Management
Strategies
22
Address biomedical equipment as an enterprise problem
Engage supporting activities to help with asset tracking
Retrain all members of the workforce to treat biomedical
equipment as if it contains protected health information
Any loss, theft, or unauthorized access requires a formal
response, analysis, and risk review (perhaps mitigation)
Management Actions
23
Biomedical devices are ‘touched’ by many different departments
daily
Number of biomedical device touchpoints* per year
Clinical staff
Environmental services
Patient transport
Protective services
Biomedical engineering
Relative level of security responsibility
Leverage Other Workflows
More
Less
Less
More
More
Less
24
Quick Way to
Validate the
Problem
25
1. What are the last 25 biomedical devices that have been added
to the “Could Not Locate (CNL)” list?
2. Which of those devices on the CNL list store protected health
information (PHI)?
3. Of the missing devices with PHI, how many of those instances
have either been reported to the Office for Civil Rights (OCR) as
a breach of PHI?
4. For all remaining devices, what percentage have technical
vulnerabilities that cannot be remediated?
Self Assessment:
4 Questions For Every CEO/CCO/CIO
26
Clyde Hewitt
VP, Security Strategy | CynergisTek
clyde.hewitt@cynergistek.com
https://www.linkedin.com/in/clydehewitt/
Tracy Hughes
Associate Chief Operating Officer, DHTS & Senior Director,
DHTS Clinical Engineering | Duke University Health System
tracey.hughes@duke.edu
https://www.linkedin.com/in/traceykhughes/
Questions?